Supply infiltration and exploitation by hackers was brought, yet again, to the forefront this week as Bloomberg reported that China successfully compromised nearly 30 companies through a supply chain attack that has been ongoing since at least 2015. This is the 2nd major attack in as many years – the first being the NotPetya attack – that was widely impactful and involved 3rd party supply chain practices.
According to the Bloomberg report, companies like Amazon, Apple, and others who used devices that included hardware built by Supermicro were impacted in the breach. Allegedly a micro-chip, no bigger than the size of a grain of rice, was discovered on the motherboard of a server used by Amazon during a routine security test. In the course of the investigation, investigators and security testers found that the chip opened up a backdoor into the affected machines. It is currently unknown at this point how much and what kind of data was stolen or compromised.
This discovery is a major escalation in the cybersecurity and demonstrates that China is still very active and a major threat actor despite Russia getting much of the media attention in the cyber domain over the last few years.
Speaking of Russia, neither is Russia innocent in the infiltration of the 3rd party services. In June of 2017, Russia launched an attack on the Ukraine by exploiting the MEDoc payment platform used by the Ukrainian government and any company doing business with the Ukraine. In the NotPetya attack, Russia successfully hijacked the MEDoc updater software and pushed a software update for MEDoc to all deployed instances. This update installed a destructive malware meant to look like ransomware that crawled across internal network and infected any vulnerable devices; thus destroying all data residing on impacted devices.
While the NotPetya attack was not technically supply chain infiltration, it is exploitation of a 3rd party product for malicious purposes. It further demonstrates that nation states are increasingly aggressive in using cyber as a means for accomplishing their purposes. Infiltrating the supply chain or even the dev cycle in early stages is an effective way to quietly compromise a wide array of organizations, yet still target specific companies. It does not require direct hacking of the target’s network or even phishing their employees. The attack is launched well before it successfully compromises the intended victim.
Fixing the Problem
This is a very difficult problem fix, there are personal mitigation steps that companies can take to decrease their risk, but what needs to be done from a global security perspective to prevent such attacks from finding success in the future?
- Companies and organizations at all levels of the supply chain must take security more seriously and invest in it.
- Customers (in this case, Amazon & Apple, et al) need to put the pressure on their supply chain partners for security and implement strong penalties for failure
- This is as much an HR issue as cybersecurity. Manufacturers, shipping companies, packaging companies, etc. all need to look at their hiring practices and be more judicious in who they hire
- Companies must physically secure work spaces where sensitive technology is being produced and processed. Limit who has access and who does not.
- It may be worth considering not acquiring parts made in China where possible. This will decrease (certainly not eliminate) the opportunity for infiltration.
- Rotate roles and responsibilities: Every few weeks or months, rotate the job of individuals – especially in the manufacturing process – this prevents long term successful sabotage (so to speak).
The biggest challenge we have is how do we protect ourselves from such an attack? It is not an easy problem as it requires the cooperation of 3rd party partners to participate in the solution and sometimes those partners might be 3 or 4 steps down the supply chain. Nevertheless there are a few things you can do to try to protect yourself to the extent possible:
- In contracts with vendors or other partners include a security clause that requires security testing and assessments
- Require vendors or other partners to also require their 3rd party providers to demonstrate sufficient security
- All new purchased devices should be tested before deployment (especially if the devices will be deployed in critical / sensitive locations)
- Segment your networks to limit the amount of data and information that can be stolen and the breadth to which hackers could permeate your network
- Employ security monitoring and detection and look for outbound communications from devices that should not be communicating out and/or to IP addresses located in abnormal locations. Give heightened attention to devices newly installed over the last 2-3 months.
These are a just a few ideas and certainly not holistic. Ultimately more pressure needs to be put on 3rd party companies throughout the supply chain to be responsible for security.
China will not stop seeking to steal intellectual capital or using cybersecurity as a means for espionage and building their economy as long as they can get away with it. Unfortunately, we should expect such operations to continue so long as they are successful and there continue to be no consequences for such behavior.
About Security On-Demand
Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning.